AWS PrivateLink for Starburst (Trino)

Getting Started

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to customer-managed Starburst (Trino) Clusters hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's Global Segments (NA, EU, and AP); please contact your Immuta account manager if you have questions about availability.

Requirements

• You have an Immuta SaaS tenant.
• Your Starburst (Trino) Cluster is hosted on AWS.
• You have set up an AWS PrivateLink Service for your Starburst Cluster endpoints.
  • If you have configured Private DNS Hostnames on your PrivateLink Service, the domain ownership must be verifiable via a public DNS zone. This means that you cannot use a Top-Level Domain (TLD) that is not publicly resolvable, e.g. starburst.mycompany.internal.
  • If you are using TLS, the presented certificate must have the Fully-Qualified Domain Name (FQDN) of your cluster as a Subject Alternative Name (SAN).
  • When creating the service, make sure that the Require Acceptance option is checked (this does not allow anyone to connect; all connections will be blocked until the Immuta Service Principal is added).
  • Only TCP connections over IPv4 are supported.

Configure Starburst (Trino) with AWS PrivateLink

1. Open a support ticket with Immuta Support with the following information:
   • AWS Region
   • AWS Subnet Availability Zones IDs (e.g. use1-az3)
   • VPC Endpoint Service ID
   • DNS Hostname
   • Ports Used
2. Authorize the Service Principal provided by your representative so that Immuta can complete the VPC Endpoint configuration.
3. Configure the Starburst (Trino) integration.
4. Register your tables as Immuta data sources.